Page MenuHomePhabricator

GPG signature warning, default 'no' still goes ahead and starts installing
Open, LowPublicBUG

Description

I just got a GPG signature error while installing 1.2.0-rc11, fine, was planning on simply restarting add system image https://downloads.vyos.io/testing/1.2.0-rc11/vyos-1.2.0-rc11-amd64.iso to see if that would help.

marlinc@r1:~$ add system image https://downloads.vyos.io/testing/1.2.0-rc11/vyos-1.2.0-rc11-amd64.iso
Trying to fetch ISO file from https://downloads.vyos.io/testing/1.2.0-rc11/vyos-1.2.0-rc11-amd64.iso
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  352M  100  352M    0     0  1273k      0  0:04:43  0:04:43 --:--:-- 3381k
ISO download succeeded.
Checking for digital signature file...
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   836  100   836    0     0   2123      0 --:--:-- --:--:-- --:--:--  2121
Found it.  Checking digital signature...
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: assuming signed data in `/var/tmp/install-image.11577/vyos-1.2.0-rc11-amd64.iso'
gpg: Signature made Mon 17 Dec 2018 10:47:55 PM UTC using RSA key ID A0FE6D7E
gpg: Can't check signature: public key not found
Signature check FAILED.
Do you want to continue anyway? (yes/no) [no]

As you can see the default action is no, so I simply pressed enter, expecting to be dropped to the shell.

Instead the install continues:

OK. Proceeding with installation anyway.
Checking MD5 checksums of files on the ISO image...OK.
Done!
What would you like to name this image? [1.2.0-rc11]: ^C
ERROR: Signal received. Exiting...
Done

Details

Difficulty level
Unknown (require assessment)
Version
1.2.0-rolling+201807160337
Why the issue appeared?
Will be filled on close

Event Timeline

m.cremers updated the task description. (Show Details)Dec 20 2018, 2:34 PM
pasik added a subscriber: pasik.Dec 20 2018, 2:54 PM
syncer assigned this task to kroy.Dec 21 2018, 10:21 AM
syncer triaged this task as Low priority.
syncer edited projects, added VyOS 1.3 Equuleus; removed VyOS 1.2 Crux.

I can confirm that this problem also exists in VyOS 1.1.x when trying to upgrade to 1.1.8. I consider this a pretty big security vulnerability, and this should be fixed in 1.1.x, not just in 1.3 or 1.2.

kroy added a comment.Dec 28 2018, 9:40 PM

I can confirm that this is broken everywhere "get_response" is used, where the default should be "no". GPU signatures are ignored, disks are deleted, etc. I'll work on making up a sane replacement.